kisti grid ca status report korea institute of science and technology information sangwan kim...
TRANSCRIPT
KISTI Grid CA Status ReportKISTI Grid CA Status Report
Korea Institute of Science and Technology Information
Sangwan Kim ([email protected])
Jae-Hyuck Kwan ([email protected])
5th APGrid PMA MeetingSeptember 16 2008Biopolis, Singapore
5th APGrid PMA MeetingSeptember 16 2008Biopolis, Singapore
ContentsContents
• History of KISTI Grid CA Operation
• KISTI Grid CA Overview
• Statistics
• Future Works
History of KISTI Grid CA OperationHistory of KISTI Grid CA Operation
• K*Grid Project started from 2002 in Korea.• Experimental CA System (2002 ~ June 2004)
▶ Statistics• # of users (subscribers) : more than 390 users• # of issued certificates : more than 3,000 certificates
• Production Level CA System (June 2004 ~ June 2007)
▶ Statistics• # of users (subscribers) : more than 60 users• # of issued certificates : more than 400 certificates
• Production CA v2.0 (June 2007~)▶ Statistics
• # of users (subscribers) : 27• # of issued certificates : 66 certificates
KISTI Grid CA OverviewKISTI Grid CA Overview
• Web Site (online certificates repository)▶ http://ca.gridcenter.or.kr/
• CA cert▶ http://ca.gridcenter.or.kr/certs/certificates/722e5071.0▶ Valid : Jul 12, 2007 – Aug 1, 2017 (10 years)▶ Key size: 2048 bits
• Certificate Policy & Practice Statement:▶ http://ca.gridcenter.or.kr/cps/KISTI-CPCPS-2.0.html▶ Based on RFC 3647▶ X.509 OID: 1.3.6.1.4.1.14305.1.1.1.2.0
• CRL▶ http://ca.gridcenter.or.kr/CRL/722e5071.crl▶ X509 Version 2, CRL life time: 30 days (new CRL 7 days before expiration
of the previous one)
KISTI Grid CA OverviewKISTI Grid CA Overview
• Certificate Profile: X509 v3 Extensions▶ CA certificate
• Basic Constraints: CA: TRUE• Key Usage: critical, Certificate Sign, CRL Sign• Certificate Policies: 1.3.6.1.4.1.14305.1.1.1.2.0
▶ User certificates• Basic Constraints: CA: FALSE• Key Usage: critical, Digital Signature, Non Repudiation, Key Encipherment, Data Enciper
ment• Extended Key Usage: TLS Web Client Authentication• Issuser Alternative Name, CRL Distribution Point, Policies OID
▶ Host certificates• Basic Constraints: CA: FALSE• Key Usage: critical, Digital Signature, Key Encipherment, Data Enciperment• Extended Key Usage: TLS Web Server/Client Authentication• Issuser Alternative Name, CRL Distribution Point, Policies OID• Subject Alternative Name: DNS:<FQDN of the host>
KISTI Grid CA OverviewKISTI Grid CA Overview
• Name forms▶Issuer:
• C=KR, O=KISTI, O=GRID, CN=KISTI Grid Certificate Authority
▶User DN:• C=KR, O=KISTI, O=GRID, O=[applicant's
organization], CN=[the name of applicant]
▶Host DN:• C=KR, O=KISTI, O=GRID, O=[applicant's
organization], CN=[FQDN of the hostname]
StatisticsStatistics
• # of Applicants : 78• # of Certificates
▶User certificates• 68 valid, 4 revoked, 3 expired
▶Host certificates• 162 valid, 4 revoked, 3 expired
Future WorksFuture Works
• Some improvement of web system (user interfaces, design, etc..)
• Self-auditing of KISTI CA
Thank You For Your Thank You For Your AttentionAttention
Thank You For Your Thank You For Your AttentionAttention